Privacy Notice
Effective date: 01/07/2026
Last updated: 01/07/2026
Version: v1.0
-
This Privacy Notice explains how Reshape Systems SA (“Reshape Systems,” “we,” “us,” or “our”) collects, uses, shares, and otherwise processes personal data in connection with:
our public website at www.reshape.systems;
our cloud-based web application and related services (the “Service”), including our AI-assisted engineering co-pilot supporting systems engineering workflows such as risk analysis, FMEA, HAZOP, reporting, and compliance; and
our business communications, support, security, and operations.
This Privacy Notice also explains your rights and choices regarding your personal data.
-
Reshape Systems SA
Route des Flumeaux 46
1008 Prilly
SwitzerlandEmail: dpo@reshape.systems
-
Reshape Systems SA is responsible for the processing of personal data described in this Privacy Notice, except where we process personal data on behalf of our customers.
In particular:
we act as controller for personal data processed for our own business purposes, such as account administration, authentication, security, billing, contractual management, product operations, and legal compliance; and
we act as processor or service provider for personal data contained in customer-uploaded content and related user activity within the Service, where we process such data on behalf of our business customers.
If you use the Service through your employer or another organization, that organization may also be responsible for certain processing of your personal data. If you have questions about how your organization uses the Service, please contact your organization directly.
-
This Privacy Notice applies to personal data we process about:
visitors to our website;
users of the Service;
customer administrators and authorized users;
representatives of customers, prospects, partners, and vendors;
individuals who contact us for sales, support, or other business purposes; and
individuals whose personal data may be included in content uploaded to or processed through the Service.
This Privacy Notice does not apply to:
third-party websites, services, or applications that we do not control; or
employment-related personal data processed in the context of recruitment or employment, unless expressly stated otherwise.
-
The personal data we collect depends on how you interact with us and our Service.
1. Personal data you provide directly
We may collect personal data that you or your organization provide to us, including:
Account and profile information, such as name, work email address, username, password, organization name, job title, phone number, and account preferences;
Authentication and security information, such as login credentials, multi-factor authentication data, and SSO-related information;
Customer content and uploaded materials, such as technical documentation, engineering records, reports, attachments, comments, and other files uploaded to the Service;
Prompts, queries, and chatbot interactions, including free-text submissions and interactions with AI-assisted features;
Outputs and user modifications, including generated analyses, summaries, reports, risk assessments, and edits or corrections made by users;
Support and communications data, such as information shared when contacting us for assistance, onboarding, training, or other requests; and
Acknowledgement records, such as records showing that you reviewed this Privacy Notice or acknowledged product-related notices.
2. Personal data collected automatically
When you use our website or Service, we may automatically collect certain information, including:
Log and device data, such as IP address, browser type, operating system, device identifiers, language settings, and access timestamps;
Usage data, such as pages viewed, features used, navigation paths, and interaction history within the Service;
Security and audit data, such as authentication events, administrative actions, error logs, and system activity logs; and
Cookie and similar technology data, as described in our Cookie Policy and cookie consent mechanism.
3. Personal data from other sources
We may receive personal data from:
your employer or organization, including when accounts are provisioned by us or by a customer administrator;
identity providers and SSO providers;
service providers supporting our infrastructure and operations; and
publicly available business sources, where permitted by law.
4. Sensitive data
Our Service is designed for professional engineering use and is not intended for the routine processing of special category or other highly sensitive personal data.
However, documents uploaded to the Service may incidentally contain personal data, such as names, business roles, work contact details, authorship references, or similar information embedded in technical documentation. Users remain responsible for ensuring that the content they upload is appropriate and lawful.
-
We may use personal data for the following purposes:
1. To provide and operate the website and Service
Including to:
create and manage accounts;
authenticate users and enable secure access;
provide requested features and functionality;
support document upload, analysis, reporting, and collaboration workflows; and
maintain the availability, integrity, and performance of the Service.
2. To provide AI-assisted functionality
Including to:
process uploaded content, prompts, and related context to generate requested outputs;
support risk analysis, engineering review, summarization, reporting, and compliance workflows; and
enable users to review, edit, and refine outputs.
3. To communicate with you
Including to:
respond to inquiries;
provide onboarding and support;
send service-related notifications, administrative messages, and security notices; and
communicate about contractual or operational matters.
4. To secure our systems and prevent misuse
Including to:
monitor authentication and access;
detect, investigate, and respond to unauthorized access, fraud, misuse, or other harmful activity;
generate and maintain audit trails and logs; and
enforce our contractual terms and internal policies.
5. To maintain and improve our services
Including to:
troubleshoot issues and debug errors;
monitor service quality, reliability, and performance;
improve usability, stability, and security; and
support internal analytics relating to service operations.
For clarity, we do not use customer-uploaded content, prompts, outputs, or related data to train our own models or any third-party foundation models.
6. To comply with legal obligations and protect rights
Including to:
comply with applicable law, regulations, and lawful requests;
protect our rights, property, systems, personnel, customers, and users; and
support legal claims, audits, investigations, and regulatory inquiries.
7. For business operations
Including to:
administer contracts, orders, invoicing, and procurement;
maintain internal records and governance processes; and
manage relationships with customers, partners, and suppliers.
8. Marketing communications
We do not currently send regular marketing communications. If we do so in the future, we may use business contact information to send updates, newsletters, event invitations, or similar communications where permitted by applicable law. You will be able to opt out of such communications at any time.
-
Where the GDPR or similar laws apply, we process personal data on one or more of the following legal bases:
Performance of a contract, where processing is necessary to provide the website or Service, create and manage accounts, authenticate users, and perform our contractual obligations;
Legitimate interests, where processing is necessary for our legitimate business interests, such as securing and improving the Service, supporting users, preventing misuse, and managing our business operations, provided those interests are not overridden by your rights and interests;
Compliance with legal obligations, where processing is required to comply with applicable laws, regulations, or lawful requests; and
Consent, where required by law, such as for certain cookies or future marketing communications.
For clarity, your acknowledgement of this Privacy Notice is used as confirmation that the notice was presented to you; it is not the legal basis for all processing described herein.
-
The Service includes AI-assisted features intended to support engineering and risk analysis workflows.
When you use these features, we may process:
uploaded documents and other customer content;
prompts, queries, and instructions entered by users;
contextual information required to generate outputs;
generated outputs; and
user edits and revisions.
AI-assisted outputs may contain errors, omissions, or inaccurate results and must be reviewed by qualified users before being relied upon.
Reshape Systems does not use customer-uploaded content, prompts, outputs, or related data to train its own models or third-party foundation models. We also configure our AI-related service arrangements so that submitted data is not retained or used by providers for model training.
-
We use cookies and similar technologies on our website and, where applicable, within the Service for purposes such as:
essential functionality;
authentication and session management;
security and fraud prevention;
analytics and performance measurement; and
user preferences.
Where required by law, we request consent before placing non-essential cookies or similar technologies on your device.
For more information, please see our Cookie Policy.
-
We may share personal data with the following categories of recipients:
1. Service providers and subprocessors
We may share personal data with service providers and subprocessors that support our operations, including providers of:
cloud hosting and infrastructure;
AI processing services;
identity and access management;
email and communications services;
customer relationship management;
analytics;
monitoring and logging;
billing and finance tools; and
security-related services.
These parties are permitted to process personal data only as necessary to provide services to us and subject to appropriate contractual safeguards.
2. Customer organizations
If you use the Service through an employer or another organization, that organization may access and control data associated with your account and use of the Service, in accordance with its policies and applicable law.
3. Professional advisors
We may share personal data with lawyers, auditors, accountants, insurers, and other professional advisors where necessary for legal, compliance, financial, or business purposes.
4. Authorities and legal compliance
We may disclose personal data to courts, regulators, law enforcement, or other third parties where required by law or where necessary to protect rights, safety, or the integrity of our systems and services.
5. Corporate transactions
We may disclose personal data in connection with a merger, acquisition, reorganization, financing, asset sale, or similar corporate transaction, subject to appropriate safeguards.
-
We generally host and process personal data in Switzerland and/or the European Economic Area (EEA).
For certain customers, including certain customers located in the United States, data may be hosted in the United States where specifically agreed or operationally required.
Where personal data is transferred internationally, including outside Switzerland, the EEA, the United Kingdom, or other jurisdictions with transfer restrictions, we implement appropriate safeguards as required by applicable law. These may include:
adequacy decisions;
standard contractual clauses; and
other legally recognized transfer mechanisms.
If you would like more information about applicable transfer safeguards, you may contact us at dpo@reshape.systems.
-
We retain personal data for as long as necessary for the purposes described in this Privacy Notice, including to provide the Service, meet contractual obligations, comply with legal requirements, resolve disputes, enforce agreements, and maintain security and audit records.
Retention periods may vary depending on the nature of the data, customer instructions, legal obligations, and technical requirements. Unless a different period is required by law, contract, or customer instruction, we currently intend to apply the following retention approach:
User account data: Duration of contract or active account period + 30 days
Customer-uploaded content, metadata, and workflow traces after deletion or contract termination: Duration of contract or active account period + 30 days
Suspended accounts before closure:15-day grace period, followed by the applicable 30-day retrieval period
Backups and disaster recovery copies: Retained in accordance with our backup and recovery procedures, Azure-managed backup settings, and applicable contractual or legal requirement
Audit and security logs: At least 12 months
Security documentation, audit reports, and similar compliance records: At least 7 years
Support or service communications: Retained for as long as necessary to handle the request, manage the customer relationship, and satisfy legal, operational, or recordkeeping requirements
Privacy and policy acknowledgement records:Up to 7 years.
Where applicable, customer content retained in backups is deleted in accordance with applicable backup cycles and technical constraints.
-
We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction.
These measures may include, as appropriate:
access controls and least-privilege restrictions;
password protection, MFA, and SSO controls;
encryption in transit and, where applicable, at rest;
logging and monitoring;
secure infrastructure and network protections; and
internal processes designed to support secure development and operations.
However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.
-
Depending on your location and applicable law, you may have the right to:
request access to your personal data;
request correction of inaccurate or incomplete personal data;
request deletion of your personal data;
request restriction of processing;
object to certain processing;
request portability of certain personal data;
withdraw consent where processing is based on consent; and
lodge a complaint with a competent supervisory authority.
To exercise your rights, please contact us at dpo@reshape.systems.
We may need to verify your identity before responding to your request. If we process your personal data on behalf of one of our customers, we may direct your request to that customer where appropriate.
-
The Service is provided for professional B2B use only.
If your account is associated with your employer or another organization, that organization may have the ability to:
administer your account;
add or remove users;
reset credentials;
configure authentication methods such as SSO;
access, export, or delete data associated with organizational use of the Service; and
monitor or review use of the Service in accordance with its own policies and applicable law.
Please contact your organization if you have questions about its administration of your account or its internal privacy practices.
-
Our website and Service are intended only for adults acting in a professional capacity and are not directed to individuals under the age of 18.
We do not knowingly collect personal data from anyone under 18. If you believe that a person under 18 has provided personal data to us, please contact us at dpo@reshape.systems so that we can take appropriate action.
-
Our website or Service may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy notices.
-
We may update this Privacy Notice from time to time to reflect changes in our practices, technologies, legal requirements, or business operations.
When we make changes, we will update the Effective Date, Last Updated date, and version number above. If changes are material, we may provide additional notice through the website, the Service, or other appropriate means.
Where appropriate, we may require users to review and re-acknowledge an updated version before continuing to use the Service.
-
If you have questions, concerns, or requests regarding this Privacy Notice or our processing of personal data, please contact:
Reshape Systems SA
Route des Flumeaux 46
1008 Prilly
SwitzerlandEmail: dpo@reshape.systems

